Cloud Computing Studies by the GAO
Additional Opportunities and Savings Need to Be Pursued GAO-14-753: Publicly Released: Sep 25, 2014.
Why GAO Did This Study
Cloud computing is a relatively new process for acquiring and delivering computing services via information technology (IT) networks. Specifically, it is a means for enabling on-demand access to shared and scalable pools of computing resources with the goal of minimizing management effort and service provider interaction. To encourage federal agencies to pursue the potential efficiencies associated with cloud computing, the Office of Management and Budget (OMB) issued a “Cloud First” policy in 2011 that required agency Chief Information Officers to implement a cloud-based service whenever there was a secure, reliable, and cost-effective option.
GAO was asked to assess agencies' progress in implementing cloud services. GAO's objectives included assessing selected agencies' progress in using such services and determining the extent to which the agencies have experienced cost savings. GAO selected for review the seven agencies that it reported on in 2012 in order to compare their progress since then in implementing cloud services; the agencies were selected using the size of their IT budgets and experience in using cloud services. GAO also analyzed agency cost savings and related documentation and interviewed agency and OMB officials.
What GAO Found
Each of the seven agencies reviewed implemented additional cloud computing services since GAO last reported on their progress in 2012. For example, since then, the total number of cloud computing services implemented by the agencies increased by 80 services, from 21 to 101. The agencies also added to the amount they reported spending on cloud services by $222 million, from $307 million to $529 million. Further, the agencies increased the percentage of their information technology (IT) budgets allocated to cloud services; however, as shown in the table, the overall increase was just 1 percent.
The agencies' relatively small increase in cloud spending as a percent of their overall IT budgets, is attributed in part, to the fact that these agencies collectively had not considered cloud computing services for about 67 percent of their investments. With regard to why these investments had not been assessed, the agencies said it was in large part due to these being legacy investments in operations and maintenance; the agencies had only planned to consider cloud options for these investments when they were to be modernized or replaced. This is inconsistent with Office of Management and Budget policy that calls for cloud solutions to be considered first whenever a secure, reliable, and cost-effective option exists regardless of where the investment is in its life cycle. Until the agencies fully assess all their IT investments, they will not be able to achieve the resulting benefits of operational efficiencies and cost savings.
The agencies collectively reported cost savings of about $96 million from the implementation of 22 of the 101 cloud services. These savings included both one-time and multiyear savings. For example, the General Services Administration saved $2.6 million by migrating to a cloud customer service solution, and Homeland Security saved $1.2 million from fiscal years 2011 through 2013 by implementing a cloud-based collaboration service. Agency officials cited two major reasons for why the other services they had implemented did not save money. First, a motivation for changing to some of the cloud-based services was not to reduce spending, but to improve service. Second, in selected cases, the cloud computing service opened up a new service or provided a higher quality of service; while this provided useful benefits to the agency, the associated costs negated any savings.
GAO is recommending, among other things, that the seven agencies assess the IT investments identified in this report that have yet to be evaluated for suitability for cloud computing services. Of the seven agencies, six agreed with GAO's recommendations, and one had no comments.
Cloud Computing: Agencies Need to Incorporate Key Practices to Ensure Effective Performance GAO-16-325: Publicly Released: Apr 7, 2016.
Why GAO Did This Study
Cloud computing is a means for delivering computing services via IT networks. When executed effectively, cloud-based services can allow agencies to pay for only the IT services used, thus paying less for more services. An important element of acquiring cloud services is a service level agreement that specifies, among other things, what services a cloud provider is to perform and at what level.
GAO was asked to examine federal agencies' use of SLAs. GAO's objectives were to (1) identify key practices in cloud computing SLAs and (2) determine the extent to which federal agencies have incorporated such practices into their SLAs. GAO analyzed research, studies, and guidance developed by federal and private entities to develop a list of key practices to be included in SLAs. GAO validated its list with the entities, including OMB, and analyzed 21 cloud service contracts and related documentation of five agencies (with the largest fiscal year 2015 IT budgets) against the key practices to identify any variances, their causes, and impacts.
What GAO Found
Federal and private sector guidance highlights the importance of federal agencies using a service level agreement (SLA) in a contract when acquiring information technology (IT) services through a cloud computing services provider. An SLA defines the level of service and performance expected from a provider, how that performance will be measured, and what enforcement mechanisms will be used to ensure the specified performance levels are achieved. GAO identified ten key practices to be included in an SLA, such as identifying the roles and responsibilities of major stakeholders, defining performance objectives, and specifying security metrics. The key practices, if properly implemented, can help agencies ensure services are performed effectively, efficiently, and securely. Under the direction of the Office of Management and Budget (OMB), guidance issued to agencies in February 2012 included seven of the ten key practices described in this report that could help agencies ensure the effectiveness of their cloud services contracts.
GAO determined that the five agencies and the 21 cloud service contracts it reviewed had included a majority of the ten key practices. Specifically, of the 21 cloud service contracts reviewed from the Departments of Defense, Health and Human Services, Homeland Security, Treasury, and Veterans Affairs, 7 had fulfilled all 10 of the key practices, as illustrated in the figure. The remaining 13 contracts had incorporated 5 or more of the 10 key practices and 1 had not included any practices.
GAO recommends that OMB include all ten key practices in future guidance to agencies and that Defense, Health and Human Services, Homeland Security, Treasury, and Veterans Affairs implement SLA guidance and incorporate applicable key practices into their SLAs. In commenting on a draft of this report, OMB and one agency had no comment, the remaining four agencies concurred with GAO's recommendations.
Source: https://www.gao.gov/products/GAO-16-325